Analysis Overview
SHA256
548e599ee8ece55a499a0b00cd1ab80f6c05311ec7c36fb335f0a5a2d38d1ea7
Threat Level: Known bad
The file 159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:16
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:16
Reported
2024-06-09 07:19
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ecaec24c912ef002036c86b0fd2e2859 |
| SHA1 | 31f5caa6c4d437e53300e5ed49957a8437f6b9ec |
| SHA256 | 8b2a3decf94e6803a03edd75fffc5df9e23ff422292e24580e1e7b800892c5f9 |
| SHA512 | ce05b548a4aef3831da8d255dfe3aa51964f68e6bc54ccaecda3d0bc5c45f7f90f7f0b8158cf0b3dbc38545774d26c2974b34222a867ab446d2ec9722b739cdd |
\Windows\SysWOW64\omsecor.exe
| MD5 | 5b17ff8a129b6d17801115467db3cf1d |
| SHA1 | 4e8e644b8a3b93c0e03235392a9e8f39074f1718 |
| SHA256 | bb81c4bcb4df1d53aeeec45a8c3630d010431982f26fbb42491ed44adb6aee70 |
| SHA512 | 3d3ccf91ee4e2c7e2fb1f3d59a8c570a7f50ab4ae720f90ad3ee5f9ba1267940c6b12e608ae4ba37954df04f2d157a3346f15361387dc79a95709f604ab3446a |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1facf94831dd208ba3bb400f5b770d27 |
| SHA1 | eda9fbbc10e030a0bec3e98b6e72e09f7e23d259 |
| SHA256 | 5796ca37a7438742e7ad81aa12a37baacd0b1a909dad11857eab4b70f534182c |
| SHA512 | a61aa77b8a087d52779f81c9af98d92fe9754864a8016a177c4da9918969f013e0e7551e9cbbacd456d8c14874067514681080c1d8ddbc35f45de6e94d3fb9c4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:16
Reported
2024-06-09 07:19
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\159fb10a93017079f3e125136ddb4800_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ecaec24c912ef002036c86b0fd2e2859 |
| SHA1 | 31f5caa6c4d437e53300e5ed49957a8437f6b9ec |
| SHA256 | 8b2a3decf94e6803a03edd75fffc5df9e23ff422292e24580e1e7b800892c5f9 |
| SHA512 | ce05b548a4aef3831da8d255dfe3aa51964f68e6bc54ccaecda3d0bc5c45f7f90f7f0b8158cf0b3dbc38545774d26c2974b34222a867ab446d2ec9722b739cdd |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4b8ced504bc21b63fcbf79a10480d96a |
| SHA1 | 67da22a08c839c85be3c07c1a32fa93f3e190bc1 |
| SHA256 | 748e438597ccc7a9138bbf957d0d02a949475fb932379070ba2a1d9066b5b8a9 |
| SHA512 | 5e0b16956d2d3604dee34332639ad8f485551a63276341babda7a8a78e1d0ea369521b7af900823e85b17b208fcce1bc983cb632633d33c7ca0596489f64be8a |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cf5068c2e6b29ed1a24f51c5ea72ab44 |
| SHA1 | 86aa0aee05997f929426fc402ff0c26f2e998896 |
| SHA256 | a5fb5c4ff84002f52da7998caeb1f479d2219e79261302dae75bc6441c617f21 |
| SHA512 | 00130d1136746b5a45ce5c7c8d945b64ada1ec5b539137bc550b8d2886de419195afc3cfb5d8623dfa2eb2b932d24041b26e110f2eb06e2f9f2e4e828c49d839 |